Rec: 8.6.1 - Validate Test-ReportSecurityInTeams.ps1, ELevel: E3, ProfileLevel: L1, IG1: FALSE, IG2: FALSE, IG3: FALSE, Connection: Microsoft Teams | EXO

[DrIOSX]

Validation for Test-ReportSecurityInTeams.ps1

Recommendation Details

• Recommendation: 8.6.1
• Description: Ensure users can report security concerns in Teams
• ELevel: E3
• Profile Level: L1
• CIS Control: 0
• CIS Description: Explicitly Not Mapped
• Implementation Group 1: FALSE
• Implementation Group 2: FALSE
• Implementation Group 3: FALSE
• Automated: TRUE
• Connection: Microsoft Teams | EXO

Test-ReportSecurityInTeams.ps1

Tasks

Validate recommendation details

• [x] Confirm that the recommendation details are accurate and complete as per the CIS benchmark.

Validate test for a pass

• [x] Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
  • Specific conditions to check:
  • Condition A: Ensure the Report a security concern setting in the Teams admin center is set to On.
  • Condition B: Verify that Monitor reported messages in Microsoft Teams is checked in the Microsoft 365 Defender portal.
  • Condition C: Ensure the Send reported messages to setting in the Microsoft 365 Defender portal is set to My reporting mailbox only with the correct report email addresses.
  • Additional Conditions:
    • ReportJunkToCustomizedAddress is set to True
    • ReportNotJunkToCustomizedAddress is set to True
    • ReportPhishToCustomizedAddress is set to True
    • ReportJunkAddresses contains the appropriate security email address(es)
    • ReportNotJunkAddresses contains the appropriate security email address(es)
    • ReportPhishAddresses contains the appropriate security email address(es)
    • ReportChatMessageToCustomizedAddressEnabled is set to True
    • ReportChatMessageEnabled is set to False

Validate test for a fail

• [x] Confirm that the failure conditions in the automated test are consistent with the manual audit results.
  • Specific conditions to check:
  • Condition A: The Report a security concern setting in the Teams admin center is not set to On.
  • Condition B: The Monitor reported messages in Microsoft Teams setting is not checked in the Microsoft 365 Defender portal.
  • Condition C: The Send reported messages to setting in the Microsoft 365 Defender portal is not set to My reporting mailbox only or the report email addresses are incorrect.
  • Additional Failure Conditions:
    • ReportJunkToCustomizedAddress is not set to True
    • ReportNotJunkToCustomizedAddress is not set to True
    • ReportPhishToCustomizedAddress is not set to True
    • ReportJunkAddresses does not contain the appropriate security email address(es)
    • ReportNotJunkAddresses does not contain the appropriate security email address(es)
    • ReportPhishAddresses does not contain the appropriate security email address(es)
    • ReportChatMessageToCustomizedAddressEnabled is not set to True
    • ReportChatMessageEnabled is not set to False

Add notes and observations

• [ ] Compare the automated audit results with the manual audit steps and provide detailed observations.
  • Automated audit produced info consistent with the manual audit test results? (Yes/No)
  • Without disclosing any sensitive information, document any discrepancies between the actual output and the expected output.
  • Document any error messages, removing any sensitive information before submitting.
  • Identify the specific function, line, or section of the script that failed, if known.
  • Provide any additional context or observations that might help in troubleshooting.

If needed, the helpers folder in .\source\helpers contains a CSV to assist with locating the test definition.

[DrIOSX]

Base PowerShell Audit:

Get-CsTeamsMessagingPolicy -Identity Global | fl AllowSecurityEndUserReporting

Get-ReportSubmissionPolicy | fl Report*